Kibana: Saved object authorization - Phase 1

Created on 17 Jul 2015 · 81Comments · Source: elastic/kibana

Currently, Kibana does not support any fine-grained access control in the UI, so all dashboards, visualizations, and saved searches are available to every authenticated user. This may present a problem when Kibana is used by multiple groups that wish to share a single Kibana instance and restrict who can see each of these saved objects.

To be clear, a reasonable workaround at this time is to set up multiple Kibana instances, one per group. However, as the number of groups gets large and dynamic, this may not be an ideal approach.

Here we propose an initial cut at proposed functionality and workflow for sharing one Kibana instance among multiple groups with different access rights. At a high-level this enhancement will allow for two things:

Saved objects (views, dashboards, searches) can be grouped
Users will have access to these groups

From an interaction perspective, we propose to explore using the concept of object tags to group Kibana objects (#1052).

Saved objects can be tagged
Users can also be associated with tags
Anyone can create new tags and associate them with user groups
If a user is associated with a tag, this user has all access to the saved object (view, modify, delete, etc..)
If a user is associated with a tag, this user can also add this tag to any object he already has access to (users can delegate rights to objects they have access to)
If a user is associated with a tag, this user can also add any other user to this tag (users can modify membership of groups they are a part of)
When a user creates a new object and does not assign a tag to it, the “everyone” tag is automatically assigned and the object is visible to everyone
If a user wants a private object, he can create a new tag only associated with himself
There is a static “everyone” tag that every user gets. Assigning this tag to an object makes it accessible to everyone.

Out of scope for this phase:

No fine-grained capabilities, such as create, update, delete, view (all-or-nothing access to objects)
No special superuser privileges, such as ability to restrict access to administrative actions, such as modifying advanced settings, adding index patterns, etc..
No fine-grained access to parts of saved objects (e.g. particular buttons, parts of a specific visualization, etc..)

Related issues: #1559, #3904

Security enhancement

Source

tbragin

👍38

Most helpful comment

плюс один

looofi on 28 Mar 2017

👍2

All 81 comments

surbhi26 on 23 Jul 2015

tbragin: you mentioned a workaround using multiple kibana instances. that would work for me as i only have two groups. one gets full access, the other would be limited to certain types of logs such as access logs.

for this setup, would i need to save access logs to an additional index that the second kibana instance connects points to?

chandlermelton on 5 Aug 2015

Does this approach works with Shield?

Currently we use multiple Kibana instances with different .kibana-index to split our groups.
User in the group should see different dashboard / data.
For every new group we've to setup an new instance. This would be a big issue for our customer.
Due to organizational requirements this generate costs.

Malu44 on 5 Aug 2015

via @dannymeijer in #4714

In our use-case we are looking to start deploying Kibana to a very broad user base. To prevent issues with people 'accidentally' breaking something for someone else (for example, deleting someone else's dashboard) we want to be able to define authorization levels.

I was thinking something like this (as an example):

A regular user:
Can discover and use any of the stored visualizations, but you don't want a regular user to 'mess anything up'. Unable to save or manage objects.
A privileged user:
Has some more rights than a regular user. Can create dashboards and manage some of the settings, but nothing too extensive.
Power users:
people that can modify everything.
Problem (as far as I can tell with the current releases) is that the level of lockdown is not to this level of detail that I am explaining. For example, I am able to remove the settings plugin, which gives me some security that the the settings will not get messed with. But this also removes the functionality/ability for users to manage saved objects (since it is nested within the settings plugin).

Another example of this is visualizations. I don't want regular users to create and store visualizations (they are just stopping by to check out content that is already there) - but disabling the visualization plugin will not just remove the visualizations tab; it completely disables all and every visualizations.

I hope I was extensive enough with examples to portray what I am talking about. The solution I had in mind would involve having the ability to customize in a more detailed level what users are presented with, maybe in the form of tags or buckets that you can predefine.

A requirement for this to work is obviously that the authentication framework is in place (issue #3904 / #4419 / #4634).

rashidkpc on 19 Aug 2015

If this can be tied to LDAP/AD where we already have different groups defined, that would be very nice.

TinLe on 19 Aug 2015

+1
with LDAP!

gustavomr on 1 Sep 2015

+1
We're in the same situation as @Malu44, so would be great to integrate this with Shield

sand0id on 15 Sep 2015

Kudo on 16 Sep 2015

tehsphinx on 21 Sep 2015

tulku on 22 Sep 2015

cdenneen on 25 Sep 2015

schast on 29 Sep 2015

davidw2 on 30 Sep 2015

dev-rke on 9 Oct 2015

etfeet on 19 Oct 2015

raphaele81 on 23 Oct 2015

+1!!
People that are meant to only warch my dashboard for analisys and getting information change my dashboards and visualizations(most of them think the changes are local) and i must import a backup every now and then.....
Group permissions will be great!

jonatansver on 26 Oct 2015

+1, this is so much needed.

basicNew on 30 Oct 2015

cjfpainter on 6 Nov 2015

resyst-it on 9 Nov 2015

+1 Setting up separate Kibana instance is not a good option for deployments with a service offering for thousands of customers, etc..

ppf2 on 20 Nov 2015

ericodom on 23 Nov 2015

+1000

gnom1gnom on 25 Nov 2015

Already doable with embeded dashboard.

Though it needs layout locking and the top bar display with timepicker.

On Wednesday, 25 November 2015, gnom1gnom [email protected] wrote:

+1000

—
Reply to this email directly or view it on GitHub
https://github.com/elastic/kibana/issues/4453#issuecomment-159556182.

Sent from Gmail Mobile

marcinkubica on 25 Nov 2015

How does this work with the limitation having only one kibana_index per Kibana Server?
I think each user needs his own index patterns, as he might not have access to all indicies.
Can Index-Patterns be filtered per user?

megastef on 22 Jan 2016

jmendiara on 1 Feb 2016

palmerabollo on 3 Feb 2016

DirtyPeanut on 23 Feb 2016

debelyoo on 24 Feb 2016

lentregu on 24 Feb 2016

veeruborra on 27 Feb 2016

Hronom on 10 Mar 2016

IGI-111 on 14 Mar 2016

GerySt on 23 Mar 2016

srpatatas on 13 Apr 2016

pankajkumar on 25 Apr 2016

rachorzzz on 27 Apr 2016

+1 this would put Kibana on a level playing field with Graylog2 which I'm looking to avoid using due to the complexities of deployment.

zindello on 13 May 2016

hkarpf on 28 May 2016

sergiolr100 on 22 Jun 2016

mattibf on 26 Jul 2016

pemontto on 26 Jul 2016

ilu on 5 Aug 2016

hariwalters on 17 Aug 2016

Noticed it's not there in Kibana 5 either.
+1

sleeper-service on 2 Nov 2016

😕1

vincent-ollivier-everysens on 7 Nov 2016

developersloth on 24 Nov 2016

amitripshtos on 27 Nov 2016

FlorentGuillin on 5 Dec 2016

GemsWest on 7 Dec 2016

simpleuser99 on 20 Dec 2016

kunwon1 on 31 Dec 2016

guidodobboletta on 18 Jan 2017

aremai on 23 Jan 2017

abdalians on 25 Jan 2017

vinodtalati on 27 Jan 2017

yuwtennis on 27 Jan 2017

mgoritzk on 13 Feb 2017

urtens on 21 Feb 2017

Hi all,

could be this a possible solution?

I used 5.2.0 version. In Kibana-Management-Users, create an user (user1) and specific role for this user (role1).

This user only must have access to the index "example-*", and only their visualizations, dashboards, searches...

== ROLE1 ==

Name: Role1
Cluster privileges: None
Index privileges:

| Indices: example-*
| Privileges: read, view_index_metadata
| Granted Fields: *

| Indices: .kibana
| Privileges: read, view_index_metadata
| Granted Fields: *
| Granted Documents Query

{
  "bool" : {
      "should" :  [
              { "term" :  { "_id" : "default_index" } },
              { "term" :  { "_id" : "5.2.0" } },
              { "term" :  { "_id" : "example-*" } },
         { "term" :  { "_id" : "DASHBOARD1" } },
         { "term" :  { "_id" : "DASHBOARD2" } },
         { "term" :  { "_id" : "..." } },
         { "term" :  { "_id" : "VISUALIZATION1" } },
         { "term" :  { "_id" : "VISUALIZATION2" } },
         { "term" :  { "_id" : "..." } },
         { "term" :  { "_id" : "SEARCH1" } },
         { "term" :  { "_id" : "SEARCH2" } },
         { "term" :  { "_id" : "..." } }
      ],
      "minimum_should_match" : 1
  }
}

You can create a neutral default index empty for all users. PUT /start

Regards

sergiolr100 on 22 Feb 2017

Any updates on this ?

AlexandrTuniev on 13 Mar 2017

xycloud on 27 Mar 2017

плюс один

looofi on 28 Mar 2017

👍2

@sergiolr100

Well I like the solution but facing some issue. Extremely sorry that I am asking query here .
So my role is like
Rolename :- Management
Cluster privileges: None
Index privileges:
| Indices: management
| Privileges: read, view_index_metadata
| Granted Fields: *

| Indices: .kibana_management
| Privileges: read, view_index_metadata
| Granted Fields: *
| Granted Documents Query

{
  "bool" : {
      "should" :  [
{ "term" :  { "_id" : "management" } },
{ "term" :  { "_id" : "5.2.2" } },
{ "term" :  { "_id" : "7a386190-19e5-11e7-90e2-a52016cb5a60" } }
      ],
      "minimum_should_match" : 1
  }
}

With above I cannot see data/document in the discover page, however with elastic user who created this index (management) can see the document/data in the discover page . FYI i have merged both above settings in a single role only also here ID is my visualization ID even this is not showing any data.

vg15 on 10 Apr 2017

drakkhen on 24 Apr 2017

AndreAga on 4 May 2017

Apache Shiro inspired me to create Rushiro https://github.com/guyboertje/rushiro for an e-commerce Rails platform that I worked on a few years back.

From what I have seen of the AWS permission system, it too is inspired by Shiro.

------ extract
The permission part has several pipe separated sections, you are completely free
to choose the schema, but remember that evaluation is on a left to right basis.

One suggestion might be: Domain|Action|Instance

Domain - aka resources, e.g. webpages, db entities, domain models or services
Action - entries from the set of actions available for the domain (crud, rw, use/manage)
Instance - these entries are 'labels' you have given to instances of the domain,
e.g. a particular webpage, a uuid or unique id of a db record
Note: Multiple comma separated entries are allowed, as is the * wildcard

example: this hash is processed into a hierarchy of objects

perm = {
  allows: {
    individual: [
      "feature|create,read,update|feat-x",
      "page|*|posts",
      "company|read"
      "company|update|5b90a720-e6b0-012e-dc18-782bcb979e60"
    ],
    organization: [],
    system: []
  },
  denies: {}
}

access_control = AllowBasedControl.new(perm)
access_control.permitted?("company|read|5b90a720-e6b0-012e-dc18-782bcb979e60") ==> true
access_control.permitted?("feature|delete|feat-x") ==> false

------ extract

guyboertje on 13 May 2017

Hi @tbragin
Any update on this enhancement? When and which version of Kibana we can see this? Will this be available as open source?

arult on 8 Sep 2017

What is the issue # in GitHub to enhance kibana to provide real fine grained access to kibana objects (where some users will have read, others can have full access) based on roles/group memebership? I can't find any. If that issue doesn't exist yet, it should. The approach used in this issue with tags that you can assign to objects still gives all users with that tag the same access level (full access) - not what a lot of people want. Thanks.

dfinkbeiner on 29 Sep 2017

Best solution I found so far regarding this issue:

https://github.com/wtakase/kibana-own-home

mostrovoi on 5 Oct 2017

CamiloSierraH on 21 Mar 2018

StephanBenning on 22 Mar 2018

georgezoto on 4 May 2018

dbroeh on 31 May 2018

Our company has figured out how to solve this problem: give up on ELK and just use Splunk. ELK is fine for a few people on a close-knit team but Splunk has way better user account-related functionality for a larger team or multiple teams.

drakkhen on 31 May 2018

tudro on 15 Jun 2018

patrickmhoge on 15 Jun 2018

+1, would love to see this feature be implemented in any proper form!

jeffrey-e on 19 Jul 2018

+1 but three years in and I don't believe anything has been done on this front?

We want to give outside access to our Kibana instance but fine grained access to dashboards is a MUST. Even internally this is kind of a necessity and I suppose that goes for everyone using Kibana outside of a small team.